[anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
- Previous message (by thread): [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
- Next message (by thread): [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ángel González Berdasco
angel.gonzalez at incibe.es
Sat Feb 20 00:09:41 CET 2021
JORDI PALET MARTINEZ writes:
> Even worst ...
>
> You've read that, but automated systems will not do, just use the
> abuse mailbox.
>
> Anyway, I think in general the information will get if an automated
> abuse report is sent, will be not personal, but from an organization.
>
> In fact, if they send personal data to the "abuser", I think they
> will be breaking the GDPR, because you need an explicit consent to
> transfer personal data to third parties, right?
>
> And of course, in front of law, all this text is "wet paper". If
> there is a claim because an abuse case, and their customer doesn't
> respond, they may be liable.
>
> Regards,
> Jordi
> @jordipalet
It can make sense. When there's an abusive resource that
usually falls in one of these two cases:
a) The customer was compromised by the bad guy
b) The customer itself is the evil guy
For case a) it absolutely makes sense to notify the
customer. Moreso, the *should* notify them (independently
of other measures they may take). If the isn't aware of
the issue, they will hardly fix the vulnerabilities on
their site.
For case b) the customer SHALL NOT be notified. The
provider itself must handle the complaint, not the evil
guy.
Now, every company has its own procedures. A few will
directly delete the customer account, even in case a).
Some will suspend the website and let the customer
clean it themselves. Others will roll the site back
to a previous backup, or otherwise delete the extraneous
files themselves.
Some companies pass along the complaints to the customer.
Specially when the server is fully administered by the
customer, as seems to be offered by this company
("dedizierte Root-Server").
Some companies will overview that the customer do handle
such compliants in a satisfactory way. I'm afraid others
won't.
But I see no problem in that they forward _certain_
reports to the customer. Ideally, the company itself
would have someone hadling the queue and classifying if
the report is spam and must be discarded, if it should
be passed to the customer to take actio (albeit not
necessarily providing the details of the sender!), or
investigated by the provider.
Using an automated mechanism does result in faster
processing, at the cost of lower quality.
I appreciate that they openly reveal their policy. We
reported some case explicitely stating not to send it
to the customer, just to receive a "We have passed
this to the customer" response.
I sorely miss that they included a slow way to contact
them in that banner (the hostmaster account, I guess?)
for the case you don't want it forwarded but, if
properly managed (which we don't know if they do), an
automated system which automatically handles most reports
could be acceptable. Not ideal, but still somewhat acceptable.
Note we don't know if it's a dumb system that forwards
everything, or
if it's smart enough to identify the
typology of most mails and decide
based on a number of
factors if it should be forwarded or not.
Nor how
this compares with the humans that would otherwise
be handling such
queue manually.
Best regards
--
INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/
PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys
====================================================================
INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.
====================================================================
In compliance with the General Data Protection Regulation of the EU
(Regulation EU 2016/679, of 27 April 2016) we inform you that your
personal and corporate data (as well as those included in attached
documents); and e-mail address, may be included in our records
for the purpose derived from legal, contractual or pre-contractual
obligations or in order to respond to your queries. You may exercise
your rights of access, correction, cancellation, portability,
limitationof processing and opposition under the terms established by
current legislation and free of charge by sending an e-mail to
dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de
Ciberseguridad de España, M.P., S.A. More information is available
on our website: https://www.incibe.es/proteccion-datos-personales
and https://www.incibe.es/registro-actividad.
====================================================================
- Previous message (by thread): [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
- Next message (by thread): [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]